@rubytech/create-maxy-code 0.1.219 → 0.1.221
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/payload/platform/plugins/admin/PLUGIN.md +2 -3
- package/payload/platform/plugins/admin/hooks/archive-ingest-surface-gate.sh +1 -2
- package/payload/platform/plugins/admin/hooks/lib/hook-emit.sh +3 -2
- package/payload/platform/plugins/admin/mcp/dist/index.js +2 -2
- package/payload/platform/plugins/admin/mcp/dist/index.js.map +1 -1
- package/payload/platform/plugins/admin/skills/admin-user-management/SKILL.md +1 -1
- package/payload/platform/plugins/admin/skills/platform-architecture/SKILL.md +8 -1
- package/payload/platform/plugins/admin/skills/plugin-management/SKILL.md +2 -2
- package/payload/platform/plugins/docs/references/troubleshooting.md +7 -0
- package/payload/platform/plugins/memory/references/graph-primitives.md +2 -2
- package/payload/platform/scripts/check-no-esm-require.mjs +3 -0
- package/payload/platform/scripts/setup-account.sh +0 -15
- package/payload/platform/services/claude-session-manager/dist/auth-snapshot.d.ts +4 -0
- package/payload/platform/services/claude-session-manager/dist/auth-snapshot.d.ts.map +1 -0
- package/payload/platform/services/claude-session-manager/dist/auth-snapshot.js +50 -0
- package/payload/platform/services/claude-session-manager/dist/auth-snapshot.js.map +1 -0
- package/payload/platform/services/claude-session-manager/dist/http-server.d.ts.map +1 -1
- package/payload/platform/services/claude-session-manager/dist/http-server.js +19 -2
- package/payload/platform/services/claude-session-manager/dist/http-server.js.map +1 -1
- package/payload/platform/services/claude-session-manager/dist/pty-spawner.d.ts.map +1 -1
- package/payload/platform/services/claude-session-manager/dist/pty-spawner.js +26 -19
- package/payload/platform/services/claude-session-manager/dist/pty-spawner.js.map +1 -1
- package/payload/server/server.js +49 -6
- package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-admin-tool-gate.test.sh +0 -109
- package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-base64-guard.test.sh +0 -204
- package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-memory-write-passthrough.test.sh +0 -118
- package/payload/platform/plugins/admin/hooks/pre-tool-use.sh +0 -337
|
@@ -1,204 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
# Regression test for the base64 context-overflow guard.
|
|
3
|
-
#
|
|
4
|
-
# Covers two PreToolUse rejection paths in pre-tool-use.sh:
|
|
5
|
-
#
|
|
6
|
-
# 1. Bash producer guard — `tool_input.command` invoking `base64` (encode
|
|
7
|
-
# direction) or `xxd -p` is rejected; `base64 -d|-D|--decode` is allowed.
|
|
8
|
-
# 2. Write/Edit consumer guard — `tool_input.content` (Write) or
|
|
9
|
-
# `tool_input.new_string` (Edit) carrying `data:<mime>;base64,<≥4096 chars>`
|
|
10
|
-
# is rejected; small inline data URIs and plain content are allowed.
|
|
11
|
-
#
|
|
12
|
-
# Plus a fail-open case (malformed stdin → exit 0 silent) to pin the contract
|
|
13
|
-
# established by the playwright-file-guard test (terminal-stdin guard + parse-
|
|
14
|
-
# error fail-open).
|
|
15
|
-
|
|
16
|
-
set -u
|
|
17
|
-
|
|
18
|
-
HOOK="$(cd "$(dirname "$0")/.." && pwd)/pre-tool-use.sh"
|
|
19
|
-
if [[ ! -x "$HOOK" ]]; then
|
|
20
|
-
echo "FAIL: $HOOK not executable" >&2
|
|
21
|
-
exit 1
|
|
22
|
-
fi
|
|
23
|
-
|
|
24
|
-
TMPFILES=()
|
|
25
|
-
cleanup_test_state() {
|
|
26
|
-
for f in "${TMPFILES[@]:-}"; do
|
|
27
|
-
[[ -n "$f" ]] && rm -f "$f" 2>/dev/null || true
|
|
28
|
-
done
|
|
29
|
-
}
|
|
30
|
-
trap cleanup_test_state EXIT
|
|
31
|
-
|
|
32
|
-
PASS=0
|
|
33
|
-
FAIL=0
|
|
34
|
-
pass() { echo "PASS: $1"; PASS=$((PASS + 1)); }
|
|
35
|
-
fail() { echo "FAIL: $1" >&2; FAIL=$((FAIL + 1)); }
|
|
36
|
-
|
|
37
|
-
# Helper: run hook with Bash tool_input.command and assert exit code + stderr.
|
|
38
|
-
run_bash() {
|
|
39
|
-
local command_text="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
|
|
40
|
-
local input_json
|
|
41
|
-
# Build the input JSON via python3 so command_text with quotes / specials is safe.
|
|
42
|
-
input_json=$(python3 -c '
|
|
43
|
-
import json, sys
|
|
44
|
-
print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Bash", "tool_input": {"command": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
|
|
45
|
-
' "$command_text")
|
|
46
|
-
local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
|
|
47
|
-
local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
|
|
48
|
-
printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
|
|
49
|
-
local rc=$?
|
|
50
|
-
if [[ "$rc" -ne "$expected_rc" ]]; then
|
|
51
|
-
fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
|
|
52
|
-
return
|
|
53
|
-
fi
|
|
54
|
-
if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
|
|
55
|
-
fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
|
|
56
|
-
return
|
|
57
|
-
fi
|
|
58
|
-
pass "$label"
|
|
59
|
-
}
|
|
60
|
-
|
|
61
|
-
# Helper: run hook with Write tool_input.content and assert exit code + stderr.
|
|
62
|
-
run_write() {
|
|
63
|
-
local content="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
|
|
64
|
-
local input_json
|
|
65
|
-
input_json=$(python3 -c '
|
|
66
|
-
import json, sys
|
|
67
|
-
print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Write", "tool_input": {"file_path": "/tmp/test.html", "content": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
|
|
68
|
-
' "$content")
|
|
69
|
-
local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
|
|
70
|
-
local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
|
|
71
|
-
printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
|
|
72
|
-
local rc=$?
|
|
73
|
-
if [[ "$rc" -ne "$expected_rc" ]]; then
|
|
74
|
-
fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
|
|
75
|
-
return
|
|
76
|
-
fi
|
|
77
|
-
if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
|
|
78
|
-
fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
|
|
79
|
-
return
|
|
80
|
-
fi
|
|
81
|
-
pass "$label"
|
|
82
|
-
}
|
|
83
|
-
|
|
84
|
-
# Helper: run hook with Edit tool_input.new_string and assert exit code.
|
|
85
|
-
run_edit() {
|
|
86
|
-
local new_string="$1"; local expected_rc="$2"; local stderr_pattern="$3"; local label="$4"
|
|
87
|
-
local input_json
|
|
88
|
-
input_json=$(python3 -c '
|
|
89
|
-
import json, sys
|
|
90
|
-
print(json.dumps({"hook_event_name": "PreToolUse", "tool_name": "Edit", "tool_input": {"file_path": "/tmp/test.html", "old_string": "OLD", "new_string": sys.argv[1]}, "transcript_path": "/tmp/sess/parent.jsonl", "parent_tool_use_id": "toolu_test_subagent"}, separators=(",", ":")))
|
|
91
|
-
' "$new_string")
|
|
92
|
-
local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
|
|
93
|
-
local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
|
|
94
|
-
printf '%s' "$input_json" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
|
|
95
|
-
local rc=$?
|
|
96
|
-
if [[ "$rc" -ne "$expected_rc" ]]; then
|
|
97
|
-
fail "$label: expected exit $expected_rc, got $rc. Stderr: $(cat "$stderr_file")"
|
|
98
|
-
return
|
|
99
|
-
fi
|
|
100
|
-
if [[ -n "$stderr_pattern" ]] && ! grep -qE "$stderr_pattern" "$stderr_file"; then
|
|
101
|
-
fail "$label: stderr missing pattern '$stderr_pattern'. Got: $(cat "$stderr_file")"
|
|
102
|
-
return
|
|
103
|
-
fi
|
|
104
|
-
pass "$label"
|
|
105
|
-
}
|
|
106
|
-
|
|
107
|
-
# Generate a base64-character blob >= 4096 chars (data-URI body trigger).
|
|
108
|
-
LARGE_B64=$(python3 -c "print('A' * 5000)")
|
|
109
|
-
|
|
110
|
-
# ───────── Bash producer guard ──────────────────────────────────────────────
|
|
111
|
-
run_bash "echo hello world" 0 "" \
|
|
112
|
-
"Test 1: bare Bash command (no base64) allowed"
|
|
113
|
-
|
|
114
|
-
run_bash "ls -la" 0 "" \
|
|
115
|
-
"Test 2: ls -la (no base64 token) allowed"
|
|
116
|
-
|
|
117
|
-
run_bash "base64 /tmp/foo.png" 2 '\[pre-tool-use\] guard=base64-tool-result.*tool=Bash.*reason=base64-encoder.*action=reject' \
|
|
118
|
-
"Test 3: 'base64 file' (encode) rejected"
|
|
119
|
-
|
|
120
|
-
run_bash "cat foo.png | base64" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
|
|
121
|
-
"Test 4: 'cat | base64' (encode pipeline) rejected"
|
|
122
|
-
|
|
123
|
-
run_bash "cat foo.png|base64 -w0" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
|
|
124
|
-
"Test 5: 'base64 -w0' (encode with line-wrap flag) rejected"
|
|
125
|
-
|
|
126
|
-
run_bash "xxd -p file.bin" 2 '\[pre-tool-use\] guard=base64-tool-result.*reason=xxd-plain-hex.*action=reject' \
|
|
127
|
-
"Test 6: 'xxd -p' (plain hex encode) rejected"
|
|
128
|
-
|
|
129
|
-
run_bash "base64 -d input.b64 > output.bin" 0 "" \
|
|
130
|
-
"Test 7: 'base64 -d' (decode direction) allowed"
|
|
131
|
-
|
|
132
|
-
run_bash "base64 --decode < x.b64 > y.bin" 0 "" \
|
|
133
|
-
"Test 8: 'base64 --decode' (decode long-form) allowed"
|
|
134
|
-
|
|
135
|
-
run_bash "echo Zm9v | base64 -d" 0 "" \
|
|
136
|
-
"Test 9: 'base64 -d' decode pipeline allowed"
|
|
137
|
-
|
|
138
|
-
run_bash "echo '--debug-base64-foo'" 0 "" \
|
|
139
|
-
"Test 10: 'base64' substring inside flag name does NOT false-match"
|
|
140
|
-
|
|
141
|
-
run_bash "ls mybase64tool" 0 "" \
|
|
142
|
-
"Test 11: 'base64' substring inside identifier does NOT false-match"
|
|
143
|
-
|
|
144
|
-
run_bash "cat in.b64 | base64 -d > /tmp/foo.bin; cat /tmp/bar.png | base64" 2 '\[pre-tool-use\] guard=base64-tool-result.*reason=base64-encoder.*action=reject' \
|
|
145
|
-
"Test 11b: compound (decode ; encode) rejects encoder segment (per-segment scan)"
|
|
146
|
-
|
|
147
|
-
run_bash "echo data | base64 -d > x.bin && cat y.png | base64 > y.b64" 2 '\[pre-tool-use\] guard=base64-tool-result.*action=reject' \
|
|
148
|
-
"Test 11c: compound (decode && encode) rejects encoder segment"
|
|
149
|
-
|
|
150
|
-
run_bash "base64 -d in.b64 > out.bin; base64 -d in2.b64 > out2.bin" 0 "" \
|
|
151
|
-
"Test 11d: compound (decode ; decode) allowed"
|
|
152
|
-
|
|
153
|
-
# ───────── Write/Edit consumer guard ────────────────────────────────────────
|
|
154
|
-
run_write "<html><body>hello world</body></html>" 0 "" \
|
|
155
|
-
"Test 12: Write small HTML content (no data URI) allowed"
|
|
156
|
-
|
|
157
|
-
run_write "<img src='data:image/png;base64,AAAA'>" 0 "" \
|
|
158
|
-
"Test 13: Write content with small inline data URI (<4096 chars) allowed"
|
|
159
|
-
|
|
160
|
-
run_write "<img src='data:image/png;base64,${LARGE_B64}'>" 2 '\[pre-tool-use\] guard=base64-write-content.*action=reject' \
|
|
161
|
-
"Test 14: Write content with large inline data URI (>4096 chars) rejected"
|
|
162
|
-
|
|
163
|
-
run_edit "<img src='data:image/png;base64,${LARGE_B64}'>" 2 '\[pre-tool-use\] guard=base64-write-content.*action=reject' \
|
|
164
|
-
"Test 15: Edit new_string with large inline data URI rejected"
|
|
165
|
-
|
|
166
|
-
run_edit "<p>just text replacement</p>" 0 "" \
|
|
167
|
-
"Test 16: Edit new_string with plain text allowed"
|
|
168
|
-
|
|
169
|
-
# ───────── Fail-open / structural ───────────────────────────────────────────
|
|
170
|
-
STDOUT_FILE=$(mktemp); STDERR_FILE=$(mktemp); TMPFILES+=("$STDOUT_FILE" "$STDERR_FILE")
|
|
171
|
-
printf '%s' 'not json at all { ' | bash "$HOOK" admin >"$STDOUT_FILE" 2>"$STDERR_FILE"
|
|
172
|
-
RC=$?
|
|
173
|
-
if [[ "$RC" -ne 0 ]]; then
|
|
174
|
-
fail "Test 17: malformed stdin should fail open (exit 0), got $RC. Stderr: $(cat "$STDERR_FILE")"
|
|
175
|
-
else
|
|
176
|
-
pass "Test 17: malformed stdin → silent passthrough (fail-open)"
|
|
177
|
-
fi
|
|
178
|
-
|
|
179
|
-
# Terminal-stdin guard preserved (no -t 0 test runs in test harness; assert
|
|
180
|
-
# the guard line exists in source).
|
|
181
|
-
if ! grep -q '\[ -t 0 \]' "$HOOK"; then
|
|
182
|
-
fail "Test 18: terminal stdin guard missing from hook source"
|
|
183
|
-
else
|
|
184
|
-
pass "Test 18: terminal stdin guard present in source"
|
|
185
|
-
fi
|
|
186
|
-
|
|
187
|
-
# Pre-existing guards still active — entitlement file edit still rejected.
|
|
188
|
-
ENT_JSON=$(python3 -c 'import json; print(json.dumps({"hook_event_name":"PreToolUse","tool_name":"Write","tool_input":{"file_path":"/srv/entitlement.json","content":"{\"tier\":\"max\"}"},"transcript_path":"/tmp/sess/parent.jsonl","parent_tool_use_id":"toolu_test_subagent"}, separators=(",", ":")))')
|
|
189
|
-
STDOUT_FILE=$(mktemp); STDERR_FILE=$(mktemp); TMPFILES+=("$STDOUT_FILE" "$STDERR_FILE")
|
|
190
|
-
printf '%s' "$ENT_JSON" | bash "$HOOK" admin >"$STDOUT_FILE" 2>"$STDERR_FILE"
|
|
191
|
-
RC=$?
|
|
192
|
-
if [[ "$RC" -ne 2 ]]; then
|
|
193
|
-
fail "Test 19: pre-existing entitlement guard regressed (expected exit 2, got $RC)"
|
|
194
|
-
else
|
|
195
|
-
pass "Test 19: pre-existing entitlement guard still rejects entitlement.json"
|
|
196
|
-
fi
|
|
197
|
-
|
|
198
|
-
echo
|
|
199
|
-
echo "──────── pre-tool-use base64 guard test summary ────────"
|
|
200
|
-
echo "PASS: $PASS"
|
|
201
|
-
echo "FAIL: $FAIL"
|
|
202
|
-
|
|
203
|
-
[[ "$FAIL" -gt 0 ]] && exit 1
|
|
204
|
-
exit 0
|
package/payload/platform/plugins/admin/hooks/__tests__/pre-tool-use-memory-write-passthrough.test.sh
DELETED
|
@@ -1,118 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
# Task 225 — passthrough regression test for memory-write / memory-update
|
|
3
|
-
# under the admin agent's pre-tool-use.sh.
|
|
4
|
-
#
|
|
5
|
-
# The Task 213→222 chain previously gated both writers at the top of the
|
|
6
|
-
# admin branch with an exit-2 block (admin direct) and an exit-0 allow
|
|
7
|
-
# (Task-subagent). Task 225 reversed the doctrine: admin holds the
|
|
8
|
-
# writers in its own surface and the case-block was deleted. This test
|
|
9
|
-
# pins the new behaviour so a future re-introduction of the block
|
|
10
|
-
# cannot land silently.
|
|
11
|
-
#
|
|
12
|
-
# Five cases:
|
|
13
|
-
# 1. mcp__plugin_memory_memory__memory-write admin-direct → exit 0, no rejection stderr
|
|
14
|
-
# 2. mcp__plugin_memory_memory__memory-update admin-direct → exit 0, no rejection stderr
|
|
15
|
-
# 3. mcp__plugin_memory_memory__memory-search admin-direct → exit 0, no rejection stderr (read tool control)
|
|
16
|
-
# 4. mcp__memory__memory-write admin-direct → exit 0 (pre-209 namespace, falls through harmlessly)
|
|
17
|
-
# 5. malformed JSON stdin → exit 0 (no crash; case-block removal does not break fall-through)
|
|
18
|
-
|
|
19
|
-
set -u
|
|
20
|
-
|
|
21
|
-
HOOK="$(cd "$(dirname "$0")/.." && pwd)/pre-tool-use.sh"
|
|
22
|
-
if [[ ! -x "$HOOK" ]]; then
|
|
23
|
-
echo "FAIL: $HOOK not executable" >&2
|
|
24
|
-
exit 1
|
|
25
|
-
fi
|
|
26
|
-
|
|
27
|
-
TMPFILES=()
|
|
28
|
-
cleanup() {
|
|
29
|
-
for f in "${TMPFILES[@]:-}"; do
|
|
30
|
-
[[ -n "$f" ]] && rm -f "$f" 2>/dev/null || true
|
|
31
|
-
done
|
|
32
|
-
}
|
|
33
|
-
trap cleanup EXIT
|
|
34
|
-
|
|
35
|
-
PASS=0
|
|
36
|
-
FAIL=0
|
|
37
|
-
pass() { echo "PASS: $1"; PASS=$((PASS + 1)); }
|
|
38
|
-
fail() { echo "FAIL: $1" >&2; FAIL=$((FAIL + 1)); }
|
|
39
|
-
|
|
40
|
-
# Admin-direct calls land with a non-subagent transcript path. A synthetic
|
|
41
|
-
# empty file in a temp dir is enough — the hook no longer reads the path
|
|
42
|
-
# for the deleted writers' case-block, but other gates may still touch it.
|
|
43
|
-
ADMIN_TRANSCRIPT=$(mktemp); TMPFILES+=("$ADMIN_TRANSCRIPT")
|
|
44
|
-
: > "$ADMIN_TRANSCRIPT"
|
|
45
|
-
|
|
46
|
-
run_with_tool() {
|
|
47
|
-
local tool="$1"
|
|
48
|
-
local sid="$2"
|
|
49
|
-
local transcript_path="${3:-}"
|
|
50
|
-
local stdout_file; stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
|
|
51
|
-
local stderr_file; stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
|
|
52
|
-
python3 -c '
|
|
53
|
-
import json, sys
|
|
54
|
-
payload = {
|
|
55
|
-
"hook_event_name": "PreToolUse",
|
|
56
|
-
"session_id": sys.argv[1],
|
|
57
|
-
"tool_name": sys.argv[2],
|
|
58
|
-
"tool_input": {"name":"Smalleys","accountId":"acct-x","scope":"shared"},
|
|
59
|
-
}
|
|
60
|
-
if sys.argv[3]:
|
|
61
|
-
payload["transcript_path"] = sys.argv[3]
|
|
62
|
-
print(json.dumps(payload, separators=(",", ":")))
|
|
63
|
-
' "$sid" "$tool" "$transcript_path" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
|
|
64
|
-
HOOK_RC=$?
|
|
65
|
-
HOOK_STDERR=$(cat "$stderr_file")
|
|
66
|
-
}
|
|
67
|
-
|
|
68
|
-
assert_passthrough() {
|
|
69
|
-
local label="$1"
|
|
70
|
-
if [[ "$HOOK_RC" -ne 0 ]]; then
|
|
71
|
-
fail "${label}: expected exit 0, got $HOOK_RC stderr: $HOOK_STDERR"
|
|
72
|
-
return
|
|
73
|
-
fi
|
|
74
|
-
if echo "$HOOK_STDERR" | grep -qF "does not write to the graph directly"; then
|
|
75
|
-
fail "${label}: stderr carries deleted-block rejection message: $HOOK_STDERR"
|
|
76
|
-
return
|
|
77
|
-
fi
|
|
78
|
-
pass "${label}: exit 0, no rejection stderr"
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
# --- 1. memory-write admin-direct passthrough ---------------------------
|
|
82
|
-
run_with_tool "mcp__plugin_memory_memory__memory-write" "sess-write-1" "$ADMIN_TRANSCRIPT"
|
|
83
|
-
assert_passthrough "admin-direct memory-write"
|
|
84
|
-
|
|
85
|
-
# --- 2. memory-update admin-direct passthrough --------------------------
|
|
86
|
-
run_with_tool "mcp__plugin_memory_memory__memory-update" "sess-update-1" "$ADMIN_TRANSCRIPT"
|
|
87
|
-
assert_passthrough "admin-direct memory-update"
|
|
88
|
-
|
|
89
|
-
# --- 3. memory-search admin-direct passthrough (read tool control) -----
|
|
90
|
-
run_with_tool "mcp__plugin_memory_memory__memory-search" "sess-search-1" "$ADMIN_TRANSCRIPT"
|
|
91
|
-
assert_passthrough "admin-direct memory-search (read tool control)"
|
|
92
|
-
|
|
93
|
-
# --- 4. pre-209 namespace mcp__memory__memory-write ---------------------
|
|
94
|
-
# The bare mcp__memory__ namespace was never in the admin runtime surface
|
|
95
|
-
# after Task 203's plugin_ prefix rename; this case pins that it still
|
|
96
|
-
# falls through harmlessly after the case-block removal.
|
|
97
|
-
run_with_tool "mcp__memory__memory-write" "sess-old-ns-1" "$ADMIN_TRANSCRIPT"
|
|
98
|
-
assert_passthrough "pre-209 namespace mcp__memory__memory-write"
|
|
99
|
-
|
|
100
|
-
# --- 5. malformed JSON stdin — hook must not crash ----------------------
|
|
101
|
-
stderr_file=$(mktemp); TMPFILES+=("$stderr_file")
|
|
102
|
-
stdout_file=$(mktemp); TMPFILES+=("$stdout_file")
|
|
103
|
-
echo "not-valid-json{{{" | bash "$HOOK" admin >"$stdout_file" 2>"$stderr_file"
|
|
104
|
-
HOOK_RC=$?
|
|
105
|
-
HOOK_STDERR=$(cat "$stderr_file")
|
|
106
|
-
if [[ "$HOOK_RC" -ne 0 ]]; then
|
|
107
|
-
fail "malformed payload: expected exit 0, got $HOOK_RC stderr: $HOOK_STDERR"
|
|
108
|
-
elif echo "$HOOK_STDERR" | grep -qF "does not write to the graph directly"; then
|
|
109
|
-
fail "malformed payload: stderr carries deleted-block rejection message: $HOOK_STDERR"
|
|
110
|
-
else
|
|
111
|
-
pass "malformed payload: exit 0, hook does not crash"
|
|
112
|
-
fi
|
|
113
|
-
|
|
114
|
-
# --- Summary -----------------------------------------------------------
|
|
115
|
-
echo "---"
|
|
116
|
-
echo "PASSED: $PASS FAILED: $FAIL"
|
|
117
|
-
[[ "$FAIL" -eq 0 ]] || exit 1
|
|
118
|
-
exit 0
|
|
@@ -1,337 +0,0 @@
|
|
|
1
|
-
#!/usr/bin/env bash
|
|
2
|
-
# PreToolUse hook — enforces agent tool boundaries and approval gating.
|
|
3
|
-
# Usage: pre-tool-use.sh <agent-type>
|
|
4
|
-
# Receives tool call JSON on stdin (from Claude Code hook protocol).
|
|
5
|
-
# Exit 0 = allow, exit 2 = block.
|
|
6
|
-
|
|
7
|
-
set -uo pipefail
|
|
8
|
-
|
|
9
|
-
AGENT_TYPE="${1:-public}"
|
|
10
|
-
|
|
11
|
-
# Source the propagation emitter (Task 560). The library is fail-open;
|
|
12
|
-
# any error path inside it logs to server.log and returns 0, so sourcing
|
|
13
|
-
# never blocks the hook's primary allow/block contract.
|
|
14
|
-
HOOKS_LIB_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)/lib"
|
|
15
|
-
# shellcheck disable=SC1091
|
|
16
|
-
[ -f "$HOOKS_LIB_DIR/hook-emit.sh" ] && source "$HOOKS_LIB_DIR/hook-emit.sh"
|
|
17
|
-
|
|
18
|
-
# Read stdin — fail closed if unavailable
|
|
19
|
-
if [ -t 0 ]; then
|
|
20
|
-
# No INPUT yet; propagate with agentId=unknown so the regression is visible.
|
|
21
|
-
if declare -F hook_emit_decision >/dev/null 2>&1; then
|
|
22
|
-
hook_emit_decision "unknown" "admin-tool-gate" "?" "block" \
|
|
23
|
-
"stdin-missing" "Blocked: Cannot determine tool call (no stdin). Failing closed." 2 0
|
|
24
|
-
fi
|
|
25
|
-
echo "Blocked: Cannot determine tool call (no stdin). Failing closed." >&2
|
|
26
|
-
exit 2
|
|
27
|
-
fi
|
|
28
|
-
INPUT=$(cat)
|
|
29
|
-
TOOL_NAME=$(echo "$INPUT" | grep -o '"tool_name":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
30
|
-
|
|
31
|
-
# Session id for propagation. Empty / parse-failure routes to "unknown" —
|
|
32
|
-
# the propagator emits the record under agentId=unknown rather than dropping.
|
|
33
|
-
SESSION_ID=$(printf '%s' "$INPUT" | python3 -c '
|
|
34
|
-
import sys, json
|
|
35
|
-
try:
|
|
36
|
-
print(json.load(sys.stdin).get("session_id", "") or "unknown")
|
|
37
|
-
except Exception:
|
|
38
|
-
print("unknown")
|
|
39
|
-
' 2>/dev/null || echo "unknown")
|
|
40
|
-
|
|
41
|
-
# ---------------------------------------------------------------------------
|
|
42
|
-
# Admin agent — code directory protection + approval gating
|
|
43
|
-
# ---------------------------------------------------------------------------
|
|
44
|
-
if [ "$AGENT_TYPE" = "admin" ]; then
|
|
45
|
-
|
|
46
|
-
# ── Code directory protection ────────────────────────────────────────────
|
|
47
|
-
case "$TOOL_NAME" in
|
|
48
|
-
Write|Edit)
|
|
49
|
-
FILE_PATH=$(echo "$INPUT" | grep -o '"file_path":"[^"]*"' | head -1 | cut -d'"' -f4)
|
|
50
|
-
case "$FILE_PATH" in
|
|
51
|
-
# Platform UI source (platform/ui/) — source lives here, not on device
|
|
52
|
-
*/platform/ui/app/*|*/platform/ui/lib/*|*/platform/ui/*.ts|*/platform/ui/*.tsx|*/platform/ui/*.mjs)
|
|
53
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
|
|
54
|
-
"code-dir-protection-ui" \
|
|
55
|
-
"Blocked: Admin agent cannot modify platform UI source at $FILE_PATH"
|
|
56
|
-
;;
|
|
57
|
-
# Compiled MCP servers, hooks, and scripts — what actually ships to device
|
|
58
|
-
*/platform/plugins/*/mcp/dist/*|*/platform/plugins/*/hooks/*|*/platform/scripts/*)
|
|
59
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
|
|
60
|
-
"code-dir-protection-platform" \
|
|
61
|
-
"Blocked: Admin agent cannot modify platform code at $FILE_PATH"
|
|
62
|
-
;;
|
|
63
|
-
# Entitlement library — verifier source, compiled output, vendored
|
|
64
|
-
# pubkey, hash file, and any signed entitlement.json. Tampering here is the
|
|
65
|
-
# agent path to revenue bypass; the legitimate write path is the Rubytech
|
|
66
|
-
# issuance endpoint, never the agent's filesystem.
|
|
67
|
-
# Patterns intentionally cover both absolute (*/...) and relative
|
|
68
|
-
# (no leading slash) paths so an agent can't bypass via cwd-relative writes.
|
|
69
|
-
*/platform/lib/entitlement/*|platform/lib/entitlement/*|*/entitlement.json|entitlement.json)
|
|
70
|
-
echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=entitlement-file" >&2
|
|
71
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
|
|
72
|
-
"entitlement-file" \
|
|
73
|
-
"Blocked: Admin agent cannot modify entitlement files at $FILE_PATH. Effective tier and purchasedPlugins derive from a Rubytech-signed payload."
|
|
74
|
-
;;
|
|
75
|
-
# account.json — agent must use the account-update
|
|
76
|
-
# MCP tool (or plugin-toggle-enabled for enabledPlugins changes), which
|
|
77
|
-
# whitelists editable fields server-side. Direct Edit/Write bypasses
|
|
78
|
-
# that whitelist; deny unconditionally including cwd-relative paths.
|
|
79
|
-
# adds */account.json and *account.json as a backstop so any
|
|
80
|
-
# layout the named patterns miss is still caught — the Adam Mackay
|
|
81
|
-
# incident showed a tier upgrade via raw Edit on account.json reach
|
|
82
|
-
# the disk, exactly the failure mode this hook exists to prevent.
|
|
83
|
-
*/data/accounts/*/account.json|*/config/accounts/*/account.json|data/accounts/*/account.json|config/accounts/*/account.json|*/account.json|*account.json|account.json)
|
|
84
|
-
echo "[entitlement] tool-deny: tool=${TOOL_NAME} path=${FILE_PATH} field=account-json" >&2
|
|
85
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
|
|
86
|
-
"account-json" \
|
|
87
|
-
"Blocked: Admin agent cannot edit account.json directly. Use the account-update or plugin-toggle-enabled MCP tools — they whitelist editable fields server-side and exclude tier and purchasedPlugins by design."
|
|
88
|
-
;;
|
|
89
|
-
# Pending action queue — only the hook and MCP tools may write here
|
|
90
|
-
*/pending-actions/*)
|
|
91
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "${TOOL_NAME}" \
|
|
92
|
-
"pending-actions" \
|
|
93
|
-
"Blocked: Admin agent cannot modify pending action files directly"
|
|
94
|
-
;;
|
|
95
|
-
esac
|
|
96
|
-
;;
|
|
97
|
-
Bash)
|
|
98
|
-
# Block shell commands referencing protected code directories or pending actions
|
|
99
|
-
case "$INPUT" in
|
|
100
|
-
*"platform/ui/app/"*|*"platform/ui/lib/"*|*"platform/plugins/"*"hooks/"*|*"platform/scripts/"*)
|
|
101
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
|
|
102
|
-
"code-dir-protection-bash" \
|
|
103
|
-
"Blocked: Admin agent cannot run shell commands against code directories"
|
|
104
|
-
;;
|
|
105
|
-
# Entitlement files via shell — same surface, blocked symmetrically
|
|
106
|
-
*"platform/lib/entitlement/"*|*"entitlement.json"*)
|
|
107
|
-
echo "[entitlement] tool-deny: tool=Bash path=entitlement-file field=entitlement-file" >&2
|
|
108
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
|
|
109
|
-
"entitlement-shell" \
|
|
110
|
-
"Blocked: Admin agent cannot reference entitlement files via shell."
|
|
111
|
-
;;
|
|
112
|
-
# account.json via shell — same rationale as Edit/Write block
|
|
113
|
-
*"data/accounts/"*"account.json"*|*"config/accounts/"*"account.json"*)
|
|
114
|
-
echo "[entitlement] tool-deny: tool=Bash path=account-json field=account-json" >&2
|
|
115
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
|
|
116
|
-
"account-json-shell" \
|
|
117
|
-
"Blocked: Admin agent cannot edit account.json via shell. Use the account-update MCP tool."
|
|
118
|
-
;;
|
|
119
|
-
*"pending-actions/"*)
|
|
120
|
-
hook_block_with_emit "$SESSION_ID" "admin-tool-gate" "Bash" \
|
|
121
|
-
"pending-actions-shell" \
|
|
122
|
-
"Blocked: Admin agent cannot modify pending action files via shell"
|
|
123
|
-
;;
|
|
124
|
-
esac
|
|
125
|
-
;;
|
|
126
|
-
esac
|
|
127
|
-
|
|
128
|
-
# ── Base64 context-overflow guard ─────────────────────────────
|
|
129
|
-
# Block inline base64 payloads from reaching the model context. Two paths:
|
|
130
|
-
#
|
|
131
|
-
# 1. Bash command that ENCODES a binary file to base64/hex (the producer).
|
|
132
|
-
# 2. Write/Edit content carrying an inline `data:<mime>;base64,…` blob
|
|
133
|
-
# (the consumer — agent quoting bytes from a prior tool_result into a
|
|
134
|
-
# HTML/markdown Write).
|
|
135
|
-
#
|
|
136
|
-
# Either path landed ~33 KB of base64 in the SDK request and the next turn
|
|
137
|
-
# tripped `main_stream_stalled` at 180 s. The
|
|
138
|
-
# remediation is symmetric: the agent saves bytes to `$ACCOUNT_DIR/tmp/<sha1>.<ext>`
|
|
139
|
-
# and references the path (`<img src="./file">` or Read-by-path) instead of
|
|
140
|
-
# carrying bytes through the assistant turn.
|
|
141
|
-
#
|
|
142
|
-
# Parsing uses python3 (already a hook dependency at the action-id site
|
|
143
|
-
# below); grep on JSON is unsafe for content with escaped quotes or
|
|
144
|
-
# embedded newlines. Parse failure is fail-open (empty extracted string,
|
|
145
|
-
# no match, allow) — matches the playwright-file-guard fail-open contract.
|
|
146
|
-
# Single python3 invocation parses the JSON, runs the tool-specific
|
|
147
|
-
# regex match (avoiding BSD-vs-GNU grep interval-count incompatibilities —
|
|
148
|
-
# `grep -E '{4096,}'` errors with "invalid repetition count(s)" on macOS
|
|
149
|
-
# BSD grep under some pattern combinations), and prints the rejection
|
|
150
|
-
# outcome to stdout as `REJECT:<reason>:<bytes>` or `ALLOW`. The wrapping
|
|
151
|
-
# bash logic reads the verdict and emits the rejection log/stderr/exit-2.
|
|
152
|
-
# Parse failure prints `ALLOW` (fail-open, matching the playwright-file-
|
|
153
|
-
# guard contract for malformed stdin).
|
|
154
|
-
GUARD_VERDICT=$(echo "$INPUT" | python3 -c '
|
|
155
|
-
import sys, json, re
|
|
156
|
-
try:
|
|
157
|
-
d = json.load(sys.stdin)
|
|
158
|
-
tool = d.get("tool_name", "")
|
|
159
|
-
ti = d.get("tool_input", {}) or {}
|
|
160
|
-
if tool in ("Write", "Edit"):
|
|
161
|
-
# Write.content OR Edit.new_string can carry inline base64.
|
|
162
|
-
content = ti.get("content") or ti.get("new_string") or ""
|
|
163
|
-
if not isinstance(content, str):
|
|
164
|
-
print("ALLOW"); sys.exit(0)
|
|
165
|
-
# data:<mime>;base64,<≥4096 base64 chars> — threshold matches the
|
|
166
|
-
# doctrine paragraph in .docs/agents.md. The 4096-char body is
|
|
167
|
-
# ~3 KB binary, far above any legitimate inline icon.
|
|
168
|
-
m = re.search(r"data:[^;]+;base64,[A-Za-z0-9+/]{4096,}={0,2}", content)
|
|
169
|
-
if m:
|
|
170
|
-
print(f"REJECT:base64-write-content:{len(content)}")
|
|
171
|
-
else:
|
|
172
|
-
print("ALLOW")
|
|
173
|
-
elif tool == "Bash":
|
|
174
|
-
command = ti.get("command", "")
|
|
175
|
-
if not isinstance(command, str):
|
|
176
|
-
print("ALLOW"); sys.exit(0)
|
|
177
|
-
# Per-segment scan. A compound command like
|
|
178
|
-
# cat in.b64 | base64 -d > out.bin; cat photo.png | base64
|
|
179
|
-
# contains both a legitimate decode AND a malicious encoder. A whole-
|
|
180
|
-
# command decode-flag check is fooled into allowing the encoder. Split
|
|
181
|
-
# on shell separators (;, &&, ||, &) and scan each segment as its own
|
|
182
|
-
# command — the encoder rejection fires when ANY segment is a bare
|
|
183
|
-
# base64 invocation without a paired decode flag in the SAME segment.
|
|
184
|
-
# Pipelines (|) keep the segment together because the encoder direction
|
|
185
|
-
# of `cat file | base64` lives across the pipe.
|
|
186
|
-
segments = re.split(r";|&&|\|\||(?<![|&])&(?![|&])", command)
|
|
187
|
-
rejected = None
|
|
188
|
-
for seg in segments:
|
|
189
|
-
if re.search(r"(?:^|[\s|;&])xxd[\t ]+-p(?![A-Za-z0-9_-])", seg):
|
|
190
|
-
rejected = "xxd-plain-hex"; break
|
|
191
|
-
if re.search(r"(?:^|[\s|;&])base64(?![A-Za-z0-9_-])", seg):
|
|
192
|
-
if not re.search(r"base64[\t ]+[^|]*(?:-d|-D|--decode)(?![A-Za-z0-9_])", seg):
|
|
193
|
-
rejected = "base64-encoder"; break
|
|
194
|
-
if rejected:
|
|
195
|
-
print(f"REJECT:{rejected}:{len(command)}")
|
|
196
|
-
else:
|
|
197
|
-
print("ALLOW")
|
|
198
|
-
else:
|
|
199
|
-
print("ALLOW")
|
|
200
|
-
except Exception:
|
|
201
|
-
print("ALLOW")
|
|
202
|
-
' 2>/dev/null || echo "ALLOW")
|
|
203
|
-
case "$GUARD_VERDICT" in
|
|
204
|
-
REJECT:base64-write-content:*)
|
|
205
|
-
BYTES="${GUARD_VERDICT##*:}"
|
|
206
|
-
echo "[pre-tool-use] guard=base64-write-content bytes=${BYTES} action=reject" >&2
|
|
207
|
-
hook_block_with_emit "$SESSION_ID" "base64-guard" "${TOOL_NAME}" \
|
|
208
|
-
"base64-write-content" \
|
|
209
|
-
"Blocked: ${TOOL_NAME} content carries an inline base64 payload (>4 KB encoded). Inline binary in Write.content overloads the model context — the same path produced a main_stream_stalled at ~33 KB on 2026-05-09.
|
|
210
|
-
Save the bytes to \$ACCOUNT_DIR/tmp/<sha1>.<ext> via Bash (e.g. 'base64 -d > out.png'), then reference the file from the document: <img src=\"./<file>\"> or Read-by-path. Do not carry binary bytes through the assistant turn."
|
|
211
|
-
;;
|
|
212
|
-
REJECT:base64-encoder:*|REJECT:xxd-plain-hex:*)
|
|
213
|
-
REASON="${GUARD_VERDICT#REJECT:}"; REASON="${REASON%:*}"
|
|
214
|
-
BYTES="${GUARD_VERDICT##*:}"
|
|
215
|
-
echo "[pre-tool-use] guard=base64-tool-result bytes=${BYTES} tool=Bash reason=${REASON} action=reject" >&2
|
|
216
|
-
hook_block_with_emit "$SESSION_ID" "base64-guard" "Bash" \
|
|
217
|
-
"$REASON" \
|
|
218
|
-
"Blocked: Bash command would emit binary as inline base64/hex to stdout, which lands in the assistant turn and overloads the model context (the 2026-05-09 Rubytech-invoice path hit 66% context after a single ~33 KB tool_result).
|
|
219
|
-
Instead: save the bytes directly to \$ACCOUNT_DIR/tmp/<sha1>.<ext> and operate on the file via path — Read for inspection, <img src=\"./<file>\"> for HTML embedding, the \`file-presentation\` skill for delivery. Decoding base64 (e.g. 'base64 -d in.b64 > out.bin') is allowed."
|
|
220
|
-
;;
|
|
221
|
-
*)
|
|
222
|
-
: # ALLOW — fall through to approval gating below
|
|
223
|
-
;;
|
|
224
|
-
esac
|
|
225
|
-
|
|
226
|
-
# ── Approval gating (EU AI Act Article 14 — human oversight) ─────────────
|
|
227
|
-
# Strip the mcp__<plugin>__ prefix to get the short tool name.
|
|
228
|
-
# Built-in tools (no prefix) pass through unchanged.
|
|
229
|
-
SHORT_NAME=$(echo "$TOOL_NAME" | sed 's/^mcp__[^_]*__//')
|
|
230
|
-
|
|
231
|
-
# Derive platform root from this hook's location:
|
|
232
|
-
# platform/plugins/admin/hooks/pre-tool-use.sh → platform/
|
|
233
|
-
HOOK_DIR="$(cd "$(dirname "$0")" 2>/dev/null && pwd)"
|
|
234
|
-
PLATFORM_ROOT="${HOOK_DIR}/../../.."
|
|
235
|
-
|
|
236
|
-
# Resolve the single account directory (Phase 0).
|
|
237
|
-
ACCOUNTS_DIR="${PLATFORM_ROOT}/../data/accounts"
|
|
238
|
-
ACCOUNT_DIR=""
|
|
239
|
-
if [ -d "$ACCOUNTS_DIR" ]; then
|
|
240
|
-
ACCOUNT_DIR=$(find "$ACCOUNTS_DIR" -mindepth 1 -maxdepth 1 -type d 2>/dev/null | head -1)
|
|
241
|
-
fi
|
|
242
|
-
|
|
243
|
-
# Default require-review tools — matches DEFAULT_REQUIRE_REVIEW in claude-agent.ts
|
|
244
|
-
DEFAULT_REQUIRE_REVIEW="email-send email-reply whatsapp-send whatsapp-send-document message contact-erase"
|
|
245
|
-
|
|
246
|
-
# Check if this tool requires approval review.
|
|
247
|
-
# 1. Read per-account override from account.json approvalPolicy (if it exists)
|
|
248
|
-
# 2. Fall back to the default require-review list
|
|
249
|
-
POLICY=""
|
|
250
|
-
if [ -n "$ACCOUNT_DIR" ] && [ -f "${ACCOUNT_DIR}/account.json" ]; then
|
|
251
|
-
# Check per-account override first (grep for the tool name in the approvalPolicy block)
|
|
252
|
-
OVERRIDE=$(grep -o "\"${SHORT_NAME}\"[[:space:]]*:[[:space:]]*\"[^\"]*\"" "${ACCOUNT_DIR}/account.json" 2>/dev/null | head -1 | grep -o '"[^"]*"$' | tr -d '"')
|
|
253
|
-
if [ -n "$OVERRIDE" ]; then
|
|
254
|
-
POLICY="$OVERRIDE"
|
|
255
|
-
fi
|
|
256
|
-
fi
|
|
257
|
-
|
|
258
|
-
# If no per-account override, check the default list
|
|
259
|
-
if [ -z "$POLICY" ]; then
|
|
260
|
-
for TOOL in $DEFAULT_REQUIRE_REVIEW; do
|
|
261
|
-
if [ "$SHORT_NAME" = "$TOOL" ]; then
|
|
262
|
-
POLICY="require-review"
|
|
263
|
-
break
|
|
264
|
-
fi
|
|
265
|
-
done
|
|
266
|
-
fi
|
|
267
|
-
|
|
268
|
-
# If not in any policy, auto-execute (allow)
|
|
269
|
-
if [ "$POLICY" != "require-review" ]; then
|
|
270
|
-
exit 0
|
|
271
|
-
fi
|
|
272
|
-
|
|
273
|
-
# ── Special case: contact-erase preview calls pass through ───────────────
|
|
274
|
-
# The contact-erase tool has a two-step flow: first call with confirm:false
|
|
275
|
-
# returns a preview (data counts), second call with confirm:true executes.
|
|
276
|
-
# Only gate the destructive confirm:true call.
|
|
277
|
-
if [ "$SHORT_NAME" = "contact-erase" ]; then
|
|
278
|
-
if ! echo "$INPUT" | grep -q '"confirm"[[:space:]]*:[[:space:]]*true'; then
|
|
279
|
-
exit 0
|
|
280
|
-
fi
|
|
281
|
-
fi
|
|
282
|
-
|
|
283
|
-
# ── Queue the action for approval ───────────────────────────────────────
|
|
284
|
-
PENDING_DIR="${ACCOUNT_DIR}/pending-actions"
|
|
285
|
-
mkdir -p "$PENDING_DIR" 2>/dev/null
|
|
286
|
-
|
|
287
|
-
ACTION_ID="$(cat /proc/sys/kernel/random/uuid 2>/dev/null || python3 -c 'import uuid; print(uuid.uuid4())' 2>/dev/null || date +%s%N)"
|
|
288
|
-
CREATED_AT="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
|
|
289
|
-
|
|
290
|
-
# Write atomically: temp file + mv
|
|
291
|
-
TEMP=$(mktemp "${PENDING_DIR}/.tmp.XXXXXX" 2>/dev/null)
|
|
292
|
-
if [ -z "$TEMP" ]; then
|
|
293
|
-
hook_block_with_emit "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
|
|
294
|
-
"approval-queue-mktemp" \
|
|
295
|
-
"Blocked: Action requires approval but failed to create queue file (disk error). Failing closed."
|
|
296
|
-
fi
|
|
297
|
-
|
|
298
|
-
# The pending action file contains the full hook JSON (tool_name + tool_input)
|
|
299
|
-
# plus metadata. The MCP approval tools parse it with Node.js JSON.parse.
|
|
300
|
-
cat > "$TEMP" <<ENDJSON
|
|
301
|
-
{
|
|
302
|
-
"actionId": "${ACTION_ID}",
|
|
303
|
-
"toolName": "${SHORT_NAME}",
|
|
304
|
-
"pluginName": "$(echo "$TOOL_NAME" | sed -n 's/^mcp__\([^_]*\)__.*/\1/p')",
|
|
305
|
-
"hookPayload": ${INPUT},
|
|
306
|
-
"state": "pending",
|
|
307
|
-
"createdAt": "${CREATED_AT}"
|
|
308
|
-
}
|
|
309
|
-
ENDJSON
|
|
310
|
-
|
|
311
|
-
if ! mv "$TEMP" "${PENDING_DIR}/${ACTION_ID}.json" 2>/dev/null; then
|
|
312
|
-
rm -f "$TEMP" 2>/dev/null
|
|
313
|
-
hook_block_with_emit "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
|
|
314
|
-
"approval-queue-mv" \
|
|
315
|
-
"Blocked: Action requires approval but failed to queue (filesystem error). Failing closed."
|
|
316
|
-
fi
|
|
317
|
-
|
|
318
|
-
# Record the queued-for-approval block in the propagation buffer; the
|
|
319
|
-
# readable summary still goes to stdout (CC attaches it as the agent's
|
|
320
|
-
# tool_result). hook_emit_decision is the no-exit variant — the
|
|
321
|
-
# subsequent echoes + exit 2 below remain the operator-facing surface.
|
|
322
|
-
hook_emit_decision "$SESSION_ID" "approval-gate" "${TOOL_NAME}" \
|
|
323
|
-
"block" "approval-queued" \
|
|
324
|
-
"Action ${ACTION_ID} queued for review" 2 0
|
|
325
|
-
|
|
326
|
-
# Extract a readable summary of the action for the agent to present
|
|
327
|
-
# tool_input is the second JSON value in the hook payload
|
|
328
|
-
echo "Action requires approval before execution."
|
|
329
|
-
echo ""
|
|
330
|
-
echo "Action ID: ${ACTION_ID}"
|
|
331
|
-
echo "Tool: ${SHORT_NAME}"
|
|
332
|
-
echo "Status: Queued for review"
|
|
333
|
-
echo ""
|
|
334
|
-
echo "The admin must approve this action before it can execute."
|
|
335
|
-
echo "Use action-approve to send, action-reject to cancel, or action-edit to modify."
|
|
336
|
-
exit 2
|
|
337
|
-
fi
|